Best Retail Advice – Go Hack Yourself!

When did baby monitors and election booths become weapons of mass disruption? At what point did a GPS or our own F-16 fighter jets become potential tools for America’s enemies? This makes no sense; of course a fighter jet will be targeted by enemies. I’d suggest changing. “When” isn’t as nearly important as “how” and “what” steps should be taken to mitigate the impact of hackers, whether they are employed by foreign governments, mercenaries making money, or amateurs with a warped sense of right and wrong.

Retail remains one of the most lucrative targets. It is the golden goose for sellable consumer data—perhaps more so than financial institutions—and those in the industry must remain vigilant by monitoring and testing systems 24/7 for weaknesses.

The best advice from cybersecurity professionals? Go hack yourself!

False Security

Some retail insiders believe that their business is far safer than it was, having spent millions of dollars on consultants, fixes and security upgrades to shut the backdoor into their systems. The most dangerous thing to believe in the digital age is overconfidence in one’s security.

Many security professionals believe 2017 is shaping up to be a strong year for cybercriminals. We may be getting smarter, but unfortunately, so is the global network of hackers whose speed and methods for planting malicious codes are better than ever.

Recent examples are numerous. JPEG 2000, a seemingly prosaic system to download PDFs, gave hackers remote access to any system. A Russian cybercrime group known for hacking banks and retailers breached computer systems at Oracle’s point-of-sale division. And cases mount in which malicious JavaScript code was used to skim payment card data.

If all the warnings sound like the same digital battle cry you’ve heard for years, you’re right! But as the old saying goes, repetition fixes firmly, particularly since some hackers specialize in finding and exploiting vectors, points of weakness at retail—whether it’s a company’s own network, devices used by staffers or vendors to access the system, or companies storing retail data in the cloud.

Losing Battle?

Beating back cybercriminals is a daily battle. Unfortunately, it’s one that no one wins for very long. Often, the best you can do is to temporarily mitigate risks before hackers find other ways in. Just ask the NSA, IRS and other government agencies where cyberdefenses struggle to resist multiple attacks from Russia, Eastern Europe, China, North Korea and the Middle East.

The While House released its Cybersecurity Action Plan, which includes extending hacking prevention efforts from the government to the private sector. But the success of joint efforts are questionable. Many agencies are still using antiquated systems that haven’t been updated since Y2K, and there’s a lack of coherent leadership in cybersecurity. Additionally, there’s no guarantee that this plan will survive into the next administration.

Meanwhile, the federal government has tasked the NSA to develop its own “tiger team” of elite hackers and assorted experts known as Tailored Access Operations (TAO). The NSA team is said to have a comprehensive, six-step process for infiltrating a target system to ferret out weaknesses. These include: reconnaissance, initial exploitation, establishing persistence by subverting other apps, installing tools, moving laterally through the system, collecting the data, exfiltration and exploitation of the data.

Waiting for the government to come up with a solution is a bit like Nero fiddling while Rome burns. Meanwhile, retail is simply too good for hackers to pass up. Trustwave Global Security’s 2015 report found that 43 percent of its data breach investigations were in the retail industry, including e-commerce and brick and mortar. Quorcirca, a research and analysis firm specializing in the European market, recently revealed that 70 percent of European retailers have been targeted, with 45 percent of those attempts being successful. One-third resulted in data loss.

Adoption of computer chip cards has helped. However, retailers on both sides of the Atlantic have been relatively slow to accept them, and some research indicates that as many as 40 percent have not installed EMV-capable POS readers. Among those that have, only about 20 percent have activated them.

Skimming Retail

Santa Clara-based research firm Whitehat Security found that nearly 6,000 retailers have malicious codes on their websites that are capable of skimming, or stealing customer data, with the greatest vulnerability in web-based payment systems.

Among their findings:

About half of all retail websites exhibit at least one serious security flaw every day. On average, retail sites exhibit 23 unique vulnerabilities.

This includes 13 “serious” vulnerabilities, classified as either “critical” or “high-risk.”

Retailers are rectifying just under half of the website vulnerabilities of which they are aware.

It takes retailers an average of 205 days to implement a fix once they are aware of a vulnerability.

For those with a somewhat parochial, or warped, sense of priorities, there is a silver lining in this massive retail migraine. Cybersecurity—effective or not—has become a major industry in itself. Worldwide, the market for products and services, a mere $3.5 billion business in 2004, will hit an astounding $1 trillion by 2021 according to CyberSecurity Ventures, thanks to continuing demand for smartphones and other mobile devices and the entire Internet of Things (IoT) concept —a favorite of hackers-for-hire who see a connected world as their digital playground.

The amount spent on protection is cheap, considering that cybercrime, according to CyberSecurity Ventures, is expected to cost the world $6 trillion by 2021 . But after ignoring the problem for years, or calling cybercrime nothing but fear mongering, U.S. companies are still catching up.

Zero Unemployment

Consequently, the cybersecurity unemployment rate will remain at virtually zero over the next five years, with global demand for professionals hitting six million by 2019—1.5 million in the U.S. alone. High demand means that retailers should start upping their budgets to avoid big gaps in security and compete for available talent. Anyone reading this who has college-age children with an affinity for art history might want to point them in a different direction.

DICE, an online job board, has listed the top IT security salaries as follows:

Salaries are likely to go even higher given that consulting and research firm IDC estimates that by 2018, 75 percent of chief security and chief information officers will report directly to the CEO.

For all this money and, presumably, talent, is the industry prepared with either a disaster recovery plan or preemptive security measures for what’s been called a “cyber world war”? First, you have to realize that no one and nothing is safe from outside intrusion and the concept of privacy is a myth.

Fighting Back

The next step is to dust off those disaster recovery plans that were probably written a decade ago and revamp them for the digital age. According to industry experts, there are a number of daily considerations to be addressed:

Getting word to employees that systems, including schedules and payroll, may be compromised.

Telling all vendors that their systems may be hacked to access yours.

Institute a plan to back up data before emergencies arise, not only to cloud services, but to external backup drives.

Ensure that the company’s firewall and all software is up to date. Download all manufacturer patches to tighten security and eliminate weaknesses.

Conduct regular scans of internal systems to detect hacking.

Limit or shut down remote access by vendors and employees. The department of Homeland Security has said that hackers use remote access tools to break into retail point-of-sale (POS) systems and plant malware.

Don’t put all your eggs, so to speak, in one basket. Segment the network by separating POS data, security cameras and Wi-Fi. That way, the entire network is not at risk with one keystroke.

Configure systems to lock a user account once a specific number of failed login attempts occurs or after a set period of time.

Limit the number of users and company workstations that can log in using remote access tools. Additionally, mitigate risk by separating public-facing systems from internal ones.

Pay particular attention to security measures among cloud providers. You are handing over all your data to these companies, so due diligence on your part is essential.